A serious security flaw has been found in Windows 7. While fixed in the RTM build, testers are at risk, if they don't run a free tool to disable the vulnerable component. (Source: Sydney Morning Herald)

Serious security flaw reminds users of both the dangers and benefits of testing trial software

In software your security track record
is ideally judged by the products you release, not the products you
are developing. Nonetheless, Microsoft is drawing flack over an
unpatched
vulnerability in the beta and Release Candidate versions of
Windows 7; Windows Vista; and Windows Server 2008. With attacks
incoming, Microsoft and security experts are urging testers to run a
workaround to disable the exploitable component in the meantime.
The entire mess, though, goes to demonstrate both the dangers and
benefits of thorough software testing.

Windows 7 is arguably
the most thoroughly publicly tested piece of unreleased software in
the history of software engineering. An unprecedented testing
program offered up both a beta and a release
candidate build to the public, with millions taking the new OS
out for a test drive worldwide. Many
problems were thus identified and fixed.

Overall, Windows
7 is more
secure, thanks to numerous protections. However, a block of
code called the SMB (Server Message Block) 2 -- which implements a
network file- and print-sharing protocol found in the test builds –
was recently found to have an exploitable vulnerability. Early
testing demonstrated the vulnerability could be used to blue screen
Windows boxes.

Now, more thorough research has demonstrated
that the flaw can be exploited for complete system takeovers.
Miami Beach-based Immunity, makers of the CANVAS penetration testing
framework, built a proof-of-concept exploit that uses the SMB 2 flaw
to execute remote code. The exploit was released last Wednesday
to paid subscribers.

This week Mark Wodrich and
Jonathan Ness, both members of the Microsoft Security Response Center
(MSRC) engineering team, posted
a blog discussing the exploit. The good news, they say, is that its fixed in the RTM build and will not be present in the retail release of Windows 7. The bad news, they say, is that in the Release Candidate and beta builds, the flaw is every bit as severe as the security firms indicated. Writes the pair, "We
have analyzed the code ourselves and can confirm that it works
reliably against 32-bit Windows Vista and Windows Server 2008
systems. The exploit gains complete control of the targeted
system and can be launched by an unauthenticated user."

Meanwhile,
security researcher HD Moore says that the exploit will soon be added
to Metasploit, an open source security toolkit he helps write.
The kit is free and widely used by hackers to craft attacks. In
other words, expect the SMB 2 attacks to be coming in weeks, not
months.

Microsoft is hard at working crafting a patch to
deploy to its testers. Microsoft's next patch day is still a ways
away, though -- October 13. In the meantime it's offering users
a "Fix-it" tool as a a stop gap solution. The
automated tool, available
here, will disable the SMB 2 code and prevent its exploitation.
Microsoft and security firms are strongly urging users (that includes
beta testers and enthusiasts running Release Candidate versions of
Windows 7) to run the tool as soon as possible, though Microsoft
believes there are no working attacks currently in the wild.

While
some have taken the SMB 2 bug as an opportunity to fling mud at
Windows 7's security, it's best to reserve judgment for the final
product. If Windows 7 releases with few flaws, Microsoft (and
its testers) should be thanked for its unprecedented testing program
that has caught potential "show stopping" vulnerabilities
like this one. With robust protections, upcoming free
anti-malware protections, and a rapidly diminishing list of
exploitable routes, Windows 7 is shaping up quite nicely.

While
testing is a great experience, this security crisis also goes to show
that those testing should be aware of the dangers they put themselves
in, in terms of security. While fewer attacks will be geared
specifically toward unreleased software, it is likely that test
software will have more exploitable flaws. With great new
software comes great responsibility to stay vigilant and informed,
and get the latest protections and workarounds, while the vendor
polishes the final product (granted, this axiom applies to release
software, as well, to a lesser extent).

Update 1 11:21 p.m., Mon. Sept 21, 2009: Some users are reporting trouble running the tool to disable the SMB. As Microsoft's security advisory lists the Windows 7 RC (see the Faq, it's not in the lists OS's) as affected, and says to follow the advised steps, its unclear what to do here. Brandon Hill tried to run the tool in the 64-bit version of the release candidate, like the commenter did, and confirmed that it fails. Its unclear if the tool works for 32-bit release candidates, the betas, or none of the Windows 7 releases at all. We'll update further as we get more details.

Update 2 8:15 a.m., Tues., Sept 22 2009: Windows 7 RC and beta users can and should run the tool, however, you won't be able to just execute it and run it like that. Follow these steps:
1. Download the tool here (this is the same tool I previously linked to).

2. Right click the tool. Select properties> Select the Compatibility tab> Select "Run this program in compatibility mode for: Previous version of Windows"> Click Apply> Click Ok
3. As an admin, run the tool by double clicking it. Click yes on the security and UAC warnings.
4. Check your registry to verify the update worked, as outlined here.

An alternative is to modify your registry manually. Thanks evilharp, for figuring out that the tool would run in compatibility mode and detailing the steps required!

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Nobody cares about beta and RC releases. They are for testing anyway. You should not run them in a production/real world environment to begin with.

It is already stated that this does not apply to Windows 7 RTM. So no normal person will stumble upon this...unlike those Apple fanatics that got Snow Leopard that came with a known vulnerability in it's retail release.